On January 15, a hacker attempted to poison a water treatment plant that served parts of the San Francisco Bay Area. It didn’t seem difficult.
The hacker had the username and password for a former employee’s TeamViewer account, a popular program that allows users to remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News.
After logging in, the hacker, whose name and motive are unknown and who was not identified by law enforcement, deleted the programs the water plant was using to treat the potable water.
The hack was not discovered until the next day, and the institution changed its passwords and reinstalled the programs.
“No outages have been reported as a result of this incident, and no individual in the city has reported illness due to water-related outages,” the report said, which did not specify which treatment plant of water has been violated, Noted.
The incident, which has not been reported before, is one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. The Bay Area attack was followed by a similar attack in Oldsmar, Florida a few weeks later. In it, which made headlines around the world, a hacker also gained access to a TeamViewer account and raised the levels of lye in drinking water to toxic levels. An employee quickly detected the movement of the computer mouse and rolled back the changes made by the hacker.
The Biden administration and the public are in the midst of a cybersecurity calculation. Russian and Chinese spies have infiltrated numerous federal government networks, sometimes going for months undetected. Criminals have hacked into virtually every industry and extorted companies at will, including those that occupy significant parts of America’s supply chains.
But of all of the country’s critical infrastructure, water is perhaps the most vulnerable to hackers: the hardest to ensure everyone follows basic cybersecurity steps, and the easiest to cause major damage and damage. real to a lot of people.
America’s water infrastructure has some built-in security, most notably its lack of centralization. Widespread water hacking would be difficult to achieve, much like hacking the US election, as each installation works independently, not working in tandem with others.
But it also means that there is no simple solution to protecting water installations. the The Bay Area case is still under FBI investigation. It is not known how the hacker (s) gained access to these TeamViewer accounts. But a critical part of dark web forums is that hackers buy, repackage, and sell login credentials. The usernames and passwords of at least 11 Oldsmar employees have been traded on the dark web, said Kent Backman, a researcher at cybersecurity firm Dragos.
To date, a real disaster – where a hacker was able to poison the drinking water of a population, causing mass illness or even death – has not happened. But a number of installations have been hacked over the past year, although most receive little attention. In Pennsylvania, a state water warning system has would have alerted its members to two recent hacks at state water plants. In another previously unreported hack, the Camrosa Water District in Southern California was infected with ransomware last summer.
It is impossible to say whether hacks on water treatment plants have recently become more common or simply more visible, as there is no comprehensive federal or industrial accounting of the safety of water treatment plants. .
“It is really difficult to apply some sort of uniform assessment of cyber hygiene, given the disparate size, capacity and technical capacity of all water utilities,” said Mike Keegan, analyst at the National Rural Water Association, an industry trade group.
“You don’t really have a good assessment of what’s going on,” he said.
Unlike the power grid, which is largely managed by a small number of for-profit companies, most of the more than 50,000 drinking water facilities in the United States are non-profit entities. Some that serve large populations are larger operations with dedicated cybersecurity staff. But rural areas in particular often get their water from small factories, often run by only a handful of employees who aren’t dedicated cybersecurity experts, said Bryson Bort, consultant on industrial cybersecurity systems.
“They’re even more fragmented at lower levels than anything we’re used to talking about, like the power grid,” he said. “If you could imagine a community center run by two old plumbers, this is your average water plant.”
There has never been a national cybersecurity audit of water treatment facilities, and the U.S. government has said it does not intend to. While individual establishments can seek help from the federal government to protect themselves, few do. In most cases, it’s up to each water plant to protect themselves, and even if they know they’ve been hacked – a big one – they might not be inclined to tell the federal government, and still less to their customers. This means that hacks can take years to reveal themselves, if at all.
In March, the acting U.S. lawyer from Kansas indicted a former employee of a tiny Ellsworth County water treatment plant over an incident two years earlier. A night worker who had worked at the Post Rock Rural Water District logged into a remote online monitoring system and attempted to shut down the plant’s cleaning and disinfection operations in 2019, the Department of Justice mentionned. The former employee pleaded not guilty and his lawyer did not respond to a request for comment.
Small rural water supply facilities tend to be reluctant to share their vulnerabilities, said Daryn Martin, technical assistant at the Kansas Rural Water Association, a commercial organization for about 800 Kansas water treatment facilities, including Post Rock.
“Usually they don’t report to the federal government. There’s a certain mistrust, you know, in a small town in the Midwestern United States,” he said.
But letting employees connect remotely to do basic work offers substantial benefits to rural workers who are periodically alerted to minor issues that require their attention, Martin said.
“Remote access eliminates the need to manage a facility 24 hours a day,” he said. “We have a lot of remote river basin districts that cover hundreds of kilometers. Paying a guy to drive 30 miles to turn on a pump, then he might have to turn it off in 3 hours when the tank is full? He can do it all from a distance. This saves money. “
The Cybersecurity and Infrastructure Security Agency, the leading federal cybersecurity defense agency, is responsible for helping secure the country’s infrastructure, including water. But it does not regulate the sector and is largely limited to advising and assisting organizations that request it.
Only a tiny fraction of the nation’s water supply facilities choose to use CISA’s services – “several hundred” out of more than 50,000 in the United States, said Anne Cutler, a spokesperson for the agency.
Among those who do, an internal CISA investigation conducted earlier this year, the results of which it shared with NBC, found grim results. Up to 1 in 10 water and wastewater treatment plants have recently discovered a critical cybersecurity vulnerability. More shockingly, more than 80% of the top plant vulnerabilities surveyed were software flaws discovered before 2017, indicating a rampant problem with employees not updating their software.
Some things are improving slightly. Congress recently gave CISA legal authority force Internet service providers to reveal the identity of organizations that it or other government agencies believe are targets of hackers.
The White House plans to launch a voluntary cybersecurity collaboration between the federal government and water facilities, similar to that announced with the energy industry in April, a spokesperson said, although no date is available. has been announced.
However, experts said no one is claiming that no government initiative can make U.S. water completely safe from hackers.
“These two plumbers aren’t in a different boat than a Fortune 100 company,” Bort said.